Intrusion detection, fault detection, and fraud detection are among many types of threat monitoring schemes enterprises conduct regularly, and oftentimes daily. However, the amount of data an enterprise processes daily, or even hourly, is massive. Accordingly, normal methods of anomaly detection, which require applying one or more rules to each event representative of a possible intrusion in an enterprise network can be slow and inefficient, rendering threat detection less effective. The more quickly a threat is detected, the more quickly intrusions can be caught and corrected. Thus, slow detection of threats in a system in which speed is vitally important may result in the spread of more threats. It is with respect to these and other general considerations that embodiments have been described.